Update to the Uroburos case: Malware using new technology to circumvent Windows kernel protection

New G Data analysis shows how rootkit infects computers

03/07/2014 | Bochum

Uroburos, the spyware discovered by G Data, has further reinforced its status as complex, highly developed malware for high profile networks, according to further analyses. G Data SecurityLabs has been investigating how computers are infected with the rootkit. In the process, experts discovered that the malware developers are using a new combination of techniques, which the malware can use to get past the central security mechanisms in the core of Windows 64 bit systems, known as the kernel. The complete analysis is available in the G Data SecurityBlog at http://blog.gdatasoftware.com/blog.html.

Windows PatchGuard underminedOnce smuggled onto the system, Uroburos gets past the Kernel Patch Protection - also known as PatchGuard - which secures the core of Windows 64 bit operating systems and is designed to prevent changes being made to it. The malware manipulates the kernel and puts it into test mode. The rootkit can embed itself there without hindrance and is accepted as a valid system driver by the operating system.

This test mode is intended for driver developers so they can use unsigned drivers to test them during the development phase. The malware authors use the process to disable driver verifications. In this way Uroburos can be directly smuggled into the core of the operating system as driver and spy on sensitive data there.